Top 10 in 2014: Internal audit considerations for technology companies. kpmg.com

Transcription

1 Top 10 in 2014: Internal audit considerations for technology companies kpmg.com

2

3 CONTENTS Introduction 2 New sources of revenue growth 4 Managing costs 5 Information technology 6 Risk management/regulatory compliance 10 About KPMG 14

4 2 Top 10 in 2014: Internal audit considerations for technology companies Introduction Our annual compilation of internal audit considerations for technology companies, Top 10 in 2014, focuses on the critical role internal audit can play in helping companies manage some of their leading risks more effectively in today s dynamic environment. In this year s publication, you will notice a set of ongoing focus areas which are consistent with those in These include the following: Mergers, acquisitions, and integration; Intellectual property protection; and Foreign Corrupt Practices Act and Antibribery and Corruption compliance. We also included a section on System implementation and upgrades, which is not an emerging area but one that we see as a continued focus area for internal audit organizations. We have also included in this publication the emerging focus areas for 2014 based on our research and discussions. These include the following: COSO 2013 framework; Cloud service management; Global mobility workforce; IT asset management; Data analytics and continuous auditing/ monitoring; and Contingent workforce. The areas of data analytics and COSO 2013 Framework are key internal audit focus areas. The remaining ongoing and emerging risk areas are internal audit focus areas related to business risks. Our selection of risk areas is based on a number of inputs, including: Discussions with chief audit executives at technology companies KPMG s Technology Internal Audit share forum Insights from KPMG s professionals who work with technology companies, and KPMG s survey data.

5 Top 10 in 2014: Internal audit considerations for technology companies 3 In addition, we wanted to briefly identify the changes that will result from the forthcoming revenue standard. In many cases, these changes will result in implementation challenges, particularly for businesses that currently recognize revenue in accordance with industry-specific guidance. In addition, companies with customer contracts containing diverse terms and conditions, or arrangements with varying goods or services delivered over longer periods of time may also face challenges in implementing the standard. The implementation challenges could have far-reaching effects, potentially requiring changes not just to accounting policies but also to income tax reporting and compliance, information technology systems, internal controls, business processes, and other business practices. As such, internal controls will be a key consideration. Design and implementation of appropriate internal controls over the process used to derive the transition adjustment and the ongoing process changes put in place as part of the implementation of the new standard are important considerations. Companies will need to critically assess the revised processes and system changes to appropriately identify risk points and help ensure that internal controls are designed and implemented to mitigate these risks. When implementing changes to the internal control structure, companies will need to carefully consider the resource capacity and training needs of individuals who will be performing any incremental internal controls being implemented. The capacity and training needs of individuals responsible for performing testing over the design and operating effectiveness in support of management s evaluation of internal control over financial reporting should also be carefully considered. The top 10 focus areas on the following pages focus on some of the risks technology companies face as they evaluate their strategies and make investments in the following areas: New sources of revenue growth (mergers, acquisitions, and integration) Managing costs (contingent workforce) Information Technology management (IT asset management, cloud service management, system implementation and upgrades, and data analytics and continuous auditing/ monitoring). Risk management and regulatory compliance Foreign Corrupt Practices Act and antibribery and corruption, intellectual property protection, and COSO 2013 framework. All 10 focus areas highlight the leading exposures companies are working to address as they enter 2014.

6 4 Top 10 in 2014: Internal audit considerations for technology companies New sources of revenue growth Mergers, acquisitions, and integration Drivers: Assessing strategic risks of M&A activity, including impact on other parts of the business Implementing a more rigorous and better-controlled M&A program that identifies risks and manage these risks Obtaining validation of deal risks and expectations before they are communicated to stakeholders Enhancing execution planning, delivery, and performance tracking Improving integration processes across all key functions. A need to manage execution risk more effectively is also leading many technology companies to design additional rigor into their merger and acquisition programs to help ensure a fact-based and well-controlled diligence, valuation, integration planning, and execution process. Example activities for internal audit to consider include: Performing post mortem reviews on prior deals to assess the effectiveness of existing processes and playbooks Preparing and monitoring the adherence to accounting and internal control due diligence checklists that address key deal areas (i.e., quality of earnings and assets, cash flows, unrecorded liabilities) identify internal control gaps for both the acquired company and on a combined basis Understanding communication processes between finance, internal audit and deal teams to assess control implications of executing business process change during active integrations Performing a project risk assessment review of the business integration process, focusing on potential risks, integration success metrics, and information systems.

7 Top 10 in 2014: Internal audit considerations for technology companies 5 Managing costs Contingent workforce Drivers: Accelerating achievement of business objectives through the sourcing of temporary skills when and where it s needed Experiencing demand for flexible workforce to address technology s cyclical business levels Changing workforce (age disparity, culture) Increasing globalization and cross-border work Adopting concept of just-in-time hiring to address short term, specific needs rapidly Utilizing virtual resources (i.e., offshore versus onshore) and identifying implications to businesses across time zones. With an increased focus on flexibility and cost management as companies emerge from the global economic decline, a shift to a contingent workforce mix as part of an overall staffing strategy has gained traction as a viable option. Managed governance services, wholly outsourced functions, and select independent contractors are among the many options available today. While concerns related to intellectual property protections and knowledge retention through loss of developed internal resources remain, other key risks include: Procurement: Processes slowing the selection/on-boarding process of third-party resources (i.e., nullifying speed to market benefits) Regulatory: US federal/state laws that apply to contingent workforces (e.g., FLSA, SOX, U.S. healthcare reform) Talent management: Contingent workforce utilization should be considered in the overall business strategy, which if aligned properly with HR talent management, will allow for the proper workforce planning activities to ensure contingent workforces and internal resources alike are used in a productive manner Global mobility/expat: Staffing remote needs globally and understanding local implications through use of expatriates, management of mobile resources, and communication with/ optimization of third-party resources Example areas where Internal Audit can assist management include: Strategic review of sourcing portfolios and the service delivery model Market assessment of resource mix and related costs Change and communications guidance in conjunction with transformation initiatives Governance knowledge as it relates to vendor and sourcing portfolio management Global mobility strategy.

8 6 Top 10 in 2014: Internal audit considerations for technology companies Information technology IT asset management (hardware, software) Drivers: Reducing risk of software license noncompliance, and potential financial exposure, through proactive management of software deployments and license entitlements. Reducing unnecessary spend with software vendors by identifying: licenses not used or under used, software incorrectly deployed or configured and software licenses that have not been enhanced or consolidated. Reducing IT operational risk through provision of a complete and accurate hardware and software asset inventory (leveraged for IT security, software release management and helpdesk operations). Annual server and software expenditures can be the largest IT budget items for many technology organizations. Yet, few really focus on proactively managing these valuable assets through a wide-ranging IT or software asset management (SAM) program. In addition to cost savings, an effective program can reduce the risk and impact of unexpected software license audits (which can result in very high settlements with the vendor). Also, knowing what IT software and hardware assets you own, how many you have deployed and where, provides a vital database for IT security, and other day-to-day IT operations. Areas that would be examined by internal audit during an IT or software asset management review may include: Inventory count for selected software of total deployments and licenses purchased. This will show where the organization has any under-licensed or over-licensed software and can be used to rationalize current licensing entitlements and deployment configurations. Process and organization review of the IT asset management lifecycle from initial request for procurement through to asset retirement. This will show where there are gaps in the process and organization that may result in IT assets not being managed effectively. IT asset management tool review to check if the current tools deployed are reporting correctly (in terms of both completeness and accuracy). Cloud service management (public cloud, private cloud, data privacy) Drivers: Implementing an effective process for managing regulatory requirements postimplementation of a cloud platform Improving compliance with regulatory and legal requirements, as well as with Sarbanes-Oxley

9 Helping ensure personally identifiable information (PII) is protected as business models evolve Helping ensure availability of data which is no longer on premise. As cloud services can be delivered in different ways (e.g., Saas, Paas, and IaaS) and operational models (such as public, private, and hybrid), cloud customers face risks when moving their IT infrastructure to the cloud. The solution architecture should account for the nature of risks in the cloud environment, and determine how the provider implements controls. The greatest opportunity to mitigate or remediate risks lies with the proactive involvement of IT teams during the solutions architecture phase. Any proposed cloud approach should be evaluated for regulatory compliance before it is implemented. Cloud planning should also be monitored continuously throughout the cloud solution s life cycle (from initial design through vendor selection, implementation, usage, and decommissioning/data reclamation). Organizations need to reframe regulatory compliance as an enabling force, thereby changing how it is addressed and perceived. This would increase the successful implementation and usage of cloud technology tools in support of business objectives. Regulatory compliance in the cloud is about risk optimization, not risk avoidance, and is part of enhancing an organization s capabilities. As companies manage through the impact of continued globalization and economic recovery, an increased sense of urgency has emerged surrounding information security and privacy. If privacy and security are not addressed, organizations can be exposed to a host of risks ranging from the breach of personal information, which may lead to identity theft and access management issues, to availability and company reputation damage. By performing thorough due diligence on the overall security architecture of cloud deployments, organizations can have long-lasting reductions in the overall security and privacy risks. As technology companies increase their use of cloud platforms, these companies need to help ensure data is protected. Companies now face an increased security risk, which is why it is important to align controls to the changing environment to protect data. Areas that could be examined by internal audit during cloud information security and privacy review may include: Establishing the operating model for compliance such as the roles and responsibilities between the cloud service provider (CSP) and the company. This is driven by the type of services model engaged by the company Programs for data breach notification as required for regulatory and legal compliance Access governance program, process, and controls to help ensure inappropriate access is not permitted Management sponsorship of security and privacy programs, and level of awareness training (e.g., password protection, information risks, and appropriate handling of confidential customer/employee information) Security audits around cloud platforms System implementations and upgrades Drivers: Enabling business process improvements and reengineering goals Recognizing that legacy technology platforms are not sufficiently scalable, reliable, agile, adaptable, responsive, or extensible Identifying need for upgrades due to vendor licensing and support agreements Enabling compliance with legal and regulatory requirements Leveraging recent advances in technology for revenue generation and gaining operational efficiencies.

10 8 Top 10 in 2014 Internal Audit Considerations for Technology Companies A continued key driver for companies is aligning the technology systems to enable various components of the business strategy. In certain cases, companies are exploring upgrade options to help ensure continued vendor support for their systems. However, companies face the risk of systems implementation/upgrades not being able to deliver intended benefits and value to the business. Additional risks include budget and schedule overruns, coordination with enterprise architecture, perception of a narrow tools-only approach, and overlooking related process/people enablers. Another key challenge is successfully managing individual and organizational resistance to change. Areas that internal audit can examine during a systems implementation and upgrade review include: Business benefit and value realization is being tracked and managed throughout the project lifecycle Clear and thorough understanding of business and process requirements (with the representative set of identified stakeholders) prior to detailed design and implementation Due diligence in evaluation and selection of software package and implementation vendors Structured approach to organizational change management and business readiness Program/project management function is established appropriately to help ensure rigor around governance, transparency, stakeholder alignment, consistency, scope, and risk management Well-defined entry and exit criteria for each of the system implementation phases with early/continuous opportunities for user validation embedded throughout the various phases Alignment with current/proposed business and enterprise architecture Representative set of test cases for integration and user acceptance testing to exercise all system features and user scenarios Integration of full-time technology staff with the third-party vendor teams to help ensure smooth transition postimplementation while leveraging their institutional knowledge Data analytics and continuous auditing/ monitoring Drivers: Identifying the right audits to perform (coverage focus) Increasing the number of audits performed per year (coverage breadth) Decreasing the time required to cycle through the audit universe (coverage efficiency) Increasing the frequency of audits of key risk areas (coverage frequency) Increasing the scope of specific audits (coverage depth). The integration of data analytics tools and techniques in internal audit methodology is driving a fundamental transformation and improving audit approaches. Consider the traditional

11 Top 10 in 2014: Internal audit considerations for technology companies 9 audit approach, which is based on a cyclical process that involves manually identifying control objectives, assessing and testing controls, performing tests, and sampling only a small population to measure control effectiveness or operational performance. Fast forward to a continuous auditing approach using repeatable and sustainable data analytics and the approach becomes much more risk-based and thorough. With data analytics, technology companies have the ability to review every transaction not just a sampling which enables a more efficient analysis on a greater scale. In addition, leveraging data analytics also accommodates the growing risk based focus on fraud detection and regulatory compliance. The following are characteristics of a mature IA plan; throughout the developing, executing, and reporting phases: Automated extract, transform, and load (ETL) process System-generated analytics and dashboards are monitored by the business against specified risk criteria Aligning the strategic goals and objectives of technology companies to risk management practices Strategic objectives and risks to those objectives are monitored and prioritized on a continuous basis IA plan is dynamic and able to react to changes in the business Data analytic enabled audit programs Audit procedures are designed to verify the underlying data analysis and reporting of risk at the business level to help ensure that they are aligned with the enterprises strategic goals and objectives IA is connected to the same data and reporting as management and assesses the quality of the data and the analytics monitored by the business Automated auditing is focused on root cause analysis and management s responses to risks, including business anomalies and trigger events. Consistent use of analytics, including descriptive, diagnostic, predictive, and prescriptive elements.

12 10 Top 10 in 2014: Internal audit considerations for technology companies Risk management/regulatory compliance US Foreign Corrupt Practices Act (FCPA) and Antibribery and Corruption (ABC) Compliance Drivers: Identifying emerging regulatory and compliance risk, such as that introduced by organic expansion into new markets, third parties, acquired businesses Providing insight to stakeholders regarding the effectiveness of existing antibribery and corruption compliance activities Preserving the company s ability to control when it discloses a potential violation to the regulators, if at all. How significant a risk is bribery and corruption? According to some estimates, the average cost related to the resolution of an FCPA matter was more than $80 million in 2013, representing DOJ and SEC fines, penalties, disgorgement, and prejudgment interest. Viewed in this context, it is easy to understand the amount of attention companies have paid to understanding their bribery and corruption exposure and to evaluating their current compliance programs. Technology companies are particularly vulnerable to bribery and corruption risks posed by third parties such as distributors, channel partners, agents, intermediaries, consultants, representatives, contractors and suppliers, consortia, and joint venture partners. An ounce of prevention The benefits of an effective antibribery and corruption compliance program, calibrated for a company s specific risk profile, are clear. Clearly written policies that spell out prohibited activity, the commitment of executive management to antibribery and corruption efforts, periodic training, audit clauses in agreements with third parties, and vigilance by compliance personnel can deter bribery and corruption, thereby reducing the risk of costly and disruptive regulatory enforcement activity. Should the unthinkable occur, a well designed and executed antibribery and corruption compliance program may mean the difference between a prosecution and a nonprosecution agreement, and may even reduce the amount of monetary fines and penalties levied. Internal audit can play a vital role in an organization s antibribery and corruption efforts by: Conducting a gap assessment of the organization s existing antibribery and corruption procedures in relation to leading practice, regulatory guidance Providing assurance regarding the design and operating effectiveness of the organization s applicable preventative and detective controls Collaborating with the business to improve existing antibribery and corruption procedures Enhancing internal audit return on investment by embedding antibribery and corruption procedures into its existing/ scheduled audits and third-party oversight activities Surfacing bribery and corruption risk through data analytics, third-party audits Lending resources to or leading investigations into matters involving potential noncompliance Driving continuous improvement through testing and evaluation of the organization s antibribery and corruption program.

13 Intellectual property protection Drivers: Management and protection of IP is of utmost importance to virtually all technology companies Achieving protection of IP assets from loss or overuse Ensuring IP management processes are in line with internal and external compliance requirements Identifying IP related contracts with self reporting requirements Recognizing IP strategy is not aligned with business or product strategy. Every day, businesses lose countless dollars without even realizing it. In many cases, revenue can vanish because vendors, distributors, and licensees unintentionally fail to meet contractual obligations. Today, intellectual property (IP) is at the core of, and a key enabler of, many business relationships. As business increasingly takes place through a network of separate entities joint ventures, alliances, and less-structured arrangements IP makes it possible to share intangible assets in an effective ecosystem that spans the globe. Many organizations license their valuable intellectual property trade secrets, designs, patents, and trademarks or share them with other third parties (e.g., vendors for use in contract manufacturing or channel partners for comarketing efforts). IP-related risk can stem from highly complex contracts that do not identify key requirements or responsibilities clearly, or from changed circumstances, mistakes, or deliberate misstatements, but managing IP means more than enforcement. IP can be sold or licensed for revenue, to support tax-efficient structures or as collateral for borrowing. Whatever the situation, the need to manage risks related to third-party IP relationships is critical to delivering significant bottom-line benefits. Internal audit can support these efforts with: Compliance by reviewing and monitoring the compliance of third-party IP contracts (both internally and externally) to help protect the bottom line and nonfinancial impacts (e.g., unlicensed transfer of IP to restricted countries). These contracts can include brand, technology, and software rights. It can also cover grey market and channel distribution/reseller agreements. Process review with an internal audit or SOX review specifically related to IP processes, consider all elements of the IP lifecycle including: IP protection, IP management, and IP enforcement. Global mobility workforce Drivers: Increasingly international-oriented workforce amongst high growth technology companies Mitigating changing and emerging risks, including an evolving and increasingly complex regulatory global tax environment Reducing costs and driving business value through improved quality and service Increasing workplace productivity, employee attraction, and retention Helping to uncover potential savings Implementing ideas and methodologies to increase the efficiency and effectiveness of assignment programs Identifying process improvements that support global corporate goals and compliance initiatives. Our member firm s clients grow in many instances by way of international expansion. By operating in new countries or increasing their presence in a country, there s an inherent need to grow the workforce to create the organizational capability it needs to realize its business goals and objectives. A major way to get key talent into these countries is through using international assignments. Deploying personnel cross-border involves many inherent cost and compliance implications and requires a great effort to manage new regulatory environments.

14 12 Top 10 in 2014: Internal audit considerations for technology companies Internal audit can assist management with these challenges across multiple departments by assessing the following: Review cost management processes to help ensure appropriate forecasting, accrual management, authorizations, and intercompany cross-charging Review payroll processes to determine calculation and reporting of pay (including multiyear incentive compensation) to local revenue authorities is accurate and timely Review human resources data management compliance relative to relevant data privacy provisions and security mandates Determine if existing organizational IT systems may be sufficient to manage the tracking, compliance, and task management functions of maintaining a global workforce Help ensure there are processes and resources to keep pace with of regulatory change keeping up with tax law changes requires extensive global knowledge, experience, and resources. Alignment to COSO 2013 framework Drivers: Updated internal control framework issued on May 14, 2013 which companies need to comply with by December 15, With the release of COSO 2013 framework, companies both small and large have taken note of the key changes, some of which include the following: changes in business and operating environments, expanded operations and reporting objectives, increased relevance and dependence on IT, and fraud risk assessments and response. The new framework suggests, for internal control to be effective, each of the 17 newly developed principles must be present and functioning in a coordinated manner. Recognizing the importance of the COSO 2013 framework, many internal audit organizations within technology companies have begun a process to align their existing processes and control structure to meet the new framework guidelines. Identify and discuss control design gaps with senior management and develop plans to remediate any such gaps. Perform an assessment of the impact of the 2013 framework on your organization s policies, guidance, training, and related tools. Work with senior and line management to communicate the impact of the 2013 framework on the organization to internal audit and the board/ audit committee. Discuss with the audit committee the impact of the 2013 framework on internal audit s operations and plans. Areas that internal audit can examine during a COSO 2013 alignment review include: Develop your plan to transition from the 1992 COSO framework to the 2013 COSO framework. Map the 17 principles and points of focus to your existing controls or controls the organization is contemplating in an organizational transformation within each component to demonstrate where the relevant principles are present and functioning in support of the objectives.

15 Top 10 in 2014: Internal audit considerations for technology companies 13

16 14 Top 10 in 2014: Internal audit considerations for technology companies About KPMG

17 Top 10 in 2014: Internal audit considerations for technology companies 15 KPMG: An experienced team, a global network KPMG s Internal Audit technology professionals combine industry knowledge with technical experience to provide insights that help technology leaders take advantage of existing and emerging technology opportunities and proactively manage business challenges. Our professionals have extensive experience working with global technology companies ranging from FORTUNE 500 companies to pre-ipo start-ups. We go beyond today s challenges to anticipate the potential long- and short-term consequences of shifting business, technology. About the authors Ron Lopes Ron is a partner in KPMG s Advisory practice and has more than 25 years of experience in the Silicon Valley. Ron has significant experience guiding the delivery of services to many leading multinational technology companies to help them create high-value-added risk and business management processes. Ron has worked on a multitude of projects for clients, including Sarbanes-Oxley (SOX) Section 404 compliance efforts, internal audits, financial and operational control reviews, risk assessments, third-party compliance audits, process reviews, financial statement audits and process improvement engagements. Ron has developed and implemented high-impact risk assessment and audit planning methodologies as well as self-assessment strategies for internal audits. Ron has significant experience in revenue recognition, financial reporting, and benchmarking/leading practices. A significant portion of his career has involved assisting clients with the coordination and execution of large international projects, and objectives. Mariam Barar Mariam Barar is a Director in KPMG s Risk Consulting practice in the Silicon Valley Office. Mariam has experience with overseeing client engagements for Fortune 500 companies in the Technology Sector. She has expertise in developing and implementing Sarbanes-Oxley (SOX) Section 404 compliance programs, internal controls, and working with large scale global teams.

18 16 Top 10 in 2014: Internal audit considerations for technology companies

19 Top 10 in 2014: Internal audit considerations for technology companies 17

20 Contact us Gary H Matuszak Global Chair, KPMG s Technology, Media & Telecommunications practice T: E: gmatuszak@kpmg.com Richard Hanley National Advisory Industry Leader, KPMG s Technology, Media & Telecommunications practice T: E: rhanley@kpmg.com Tom Lamoureux Global Advisory Technology Industry Leader T: E: tlamoureux@kpmg.com Ron Lopes Partner, Advisory T: E: rjlopes@kpmg.com kpmg.com The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and cutting through complexity are registered trademarks or trademarks of KPMG International. NDPPS